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What is Network Intelligence Technology? 

Feeding Detailed Traffic Visibility to Applications 



Applications using 
metadata and content 

feeds 



Cyber 

Security 



f * 

Lawful 

! Interception 

. 









Data 




Other 


Retention 













Network Intelligence 
Technology = 

DPI + metadata extraction 
+ content extraction 

IP traffic flows 




Metadata and 
content feeds 

Delivering 

data 



Extracting traffic 
metadata and content 



Decoding 

protocols 



Beyond DPI! 
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Network Intelligence: 

An Enabling Technology for Interception Systems 



Network Intelligence 
Technology = 

DPI + metadata extraction + 
content extraction 



Intercepted 

traffic 







Functions 

■User interface 

■Rendering of 
communications 

■Storage 

■Correlation 

■Alerts 



QOSMOS 



Functions 

■Advanced protocol decoding 
■Supports new/evolving protocols 
■Traffic classification 
■Extracts traffic metadata + content 
■Support for Gbps+ throughput 
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Network Intelligence Implementation Options 
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Network Intelligence Technology for Monitoring Centers 



Software 
Development Kit 




ixMOS for 
Monitoring Center 


Id 










IA2) 


Developer tool 




Extracts and delivers 


to embed Qosmos 




metadata + content 


into a system 




in real time 
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Challenges for Monitoring Centers 



►I 



Fact 


Challenge for MC vendors / LEA 


1) Exponential growth in HI3 traffic 


Difficult to scale 


2) Decoding software can be 
targeted by cyber attacks and 
intercepted traffic can be unclean 


Need decoding software with built-in 
“Triple R” capabilities and ability to 
handle unclean traffic 



3) Diversity and complexity of Wide protocol support with continuous 

communication applications and updates 
protocols 



4) Increase in of number of targets 
and communication services 



Go beyond rendering of communications 
and add support for investigations based 
on automatic pattern analysis 
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Exponential growth in Intercepted Traffic: 
Use HI3 Load Balancer Based on Nl to Scale 







1 Gbps 
10 Gbps 
interface 



Monolithic MC 

Decoding 

Rendering 

BITS 



■ Not scalable 

■ Overloaded by 
irrelevant traffic 




Network Intelligence 



Load balancer + 
Filter 



By application 
By IP@ 



Scalable 

Optimized 



Centralized 

Rendering 

System 
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Irrelevant traffic (IPTV, etc) 
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Implementation: Scalability Enabled 



Operator 1 




Gbps 

interface 




Operator 2 



■ 



■ 



Gbps 

interface 




Qosmos-based 
HI3 Load balancer 

■ HI3 format 

■ Application LB 

■ Tunneled traffic 

■ IP-address LB 

■ Smart LB on traffic 
metadata 

■ Gbps interface 




Email 

MC 



VoIP 

MC 



Service 

MC 





Mon. 

Center 

Server 




Storage 



LEA 

Agent 
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Benefits 



■j Enables monitoring center to scale from Mbps to Gbps 

■j Reduce by 90% the data volume managed by the monitoring center 

■j Flexible: adapts to the MC vendor’s and LEA deployment 
requirements 

■ Load balancing by application 

■ Load balancing by IP address 

■ Load balancing using any traffic metadata 
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Challenges for Monitoring Centers 





Fact 


Challenge for MC vendors / LEA 




1) Exponential growth in HI3 traffic 


Difficult to scale 


► 


2) Decoding software can be 
targeted by cyber attacks and 
intercepted traffic can be unclean 


Need decoding software with built-in 
“Triple R” capabilities and ability to 
handle unclean traffic 




3) Diversity and complexity of 
communication applications and 
protocols 


Wide protocol support with continuous 
updates 




4) Increase in of number of targets 
and communication services 


Go beyond rendering of communications 
and add support for investigations based 



on automatic pattern analysis 
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Challenge: 

DPI Software Must Work Even Under Difficult Conditions 





Unclean traffic 


■Fragmented 

■Partial 


A 


Must 


\ 


■Malicious forging 

■Obfuscation 

■DDOS 


continue 


Cyber Attacks \ 




to work! 



Example: Need to decode unidirectional traffic 
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Example: Need to handle packet-by-packet 



Normal SMTP 
behavior 



Client 



Server 



Packet by 
Packet SMTP 




Client 




Server 
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Tripe R: Accurate and Battle-Proof DPI/NI Technology 



■j Tripe R = Resilience + Robustness + Reliability 

■ ixEngine has been designed with Triple R in mind 

■j Resilience 

■ Functioning even under adverse external conditions 
(e.g. maliciously forged packets or flows) 




■j Robustness 

■ Performing well during difficult situations (e.g. 
incomplete traffic, SYN flood attacks) 

* Reliability 

■ Adequately decoding traffic even under unusual 
circumstances (e.g. tunnels, obfuscated traffic, non- 
standard protocol behavior) 



Field-proven Technology 

Based on continuous 
feedback from Qosmos 
users in all markets 
(telecoms, enterprise, 
government) and all regions 
of the world 



QOSMOS 
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Benefits 



■j Battle-proof: Built-in Tripe R = Resilience + Robustness + Reliability 

■j Accuracy: Advanced protocol parsing drastically limits the risk of 
missing a target 

■j Field proven: Protocol parsing technology continuously facing real- 
life intercepted IP traffic: 

■ Wired networks / Mobile networks 

■ EMEA, Americas, Asia 

* Continuously updated technology 

■ Adapted to new traffic characteristics 

■ New protocols and applications 
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Challenges for Monitoring Centers 





Fact 


Challenge for MC vendors / LEA 




1) Exponential growth in HI3 traffic 


Difficult to scale 




2) Decoding software can be 
targeted by cyber attacks and 
intercepted traffic can be unclean 


Need decoding software with built-in 
“Triple R” capabilities and ability to 
handle unclean traffic 


► 


3) Diversity and complexity of 
communication applications and 
protocols 


Wide protocol support with continuous 
updates 




4) Increase in of number of targets 
and communication services 


Go beyond rendering of communications 
and add support for investigations based 
on automatic pattern analysis 



!■ QOSMOS 



Page 1 3 






Use Nl Technology to Outsource Diversity and Complexity of 
Communication Protocols and Applications 



Standardized protocols 
Few evolutions 

Smtp, pop, sip, rtp... 



Non standard protocols & applications 
Growing number + constant evolution! 



^ m sd 



fessertg ter 



facebock 



Gm 







A 



Monitorin 



Center 



Core business 



Enable fast investigation 
■ Analyze networks of 
communication 
■ Display information 






Is it your core business to keep 
up with constantly evolving 
protocols and applications?? 




/ 



Role of 



Network Intelliaence 



■ Support protocol & 
application evolution 

■ Support of regional 

protocols 



\ 
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Benefits of Embedding Network Intelligence Technology into 
Monitoring Solutions 



■j Focus on your core business: designing 
solution for efficient investigation 

■j Benefit from continuously updated protocol and 
application parsing engine 

■j Easy to integrate in your monitoring centers 
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Challenges for Monitoring Centers 



Fact 


Challenge for MC vendors / LEA 


1) Exponential growth in HI3 traffic 


Difficult to scale 


2) Decoding software can be 
targeted by cyber attacks and 
intercepted traffic can be unclean 


Need decoding software with built-in 
“Triple R” capabilities and ability to 
handle unclean traffic 


3) Diversity and complexity of 
communication applications and 
protocols 


Wide protocol support with continuous 
updates 


4) Increase in of number of targets 
and communication services 


Go beyond rendering of communications 
and add support for investigations based 
on automatic pattern analysis 
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Exponential Growth in the Number of Targets and 
Communication Services 



■j “Rendering” conversations is 
no longer enough: need to 
also analyze patterns of 
communication 

■j Limited number of LEA 
agents: need to automate 
investigation tasks 
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Leverage Metadata! 



Of Yahoo! Mail (sylvain.fambon) 




Login 

password 





Subject 



£ 



Mobile | Options ▼ | Help 

ADVERTISEMENT 



ii Inbox (2) 






0 From 


Subject 


I Date 


T # t 




\ ] Drafts 






Sylvain Fambon 


subject 


/ Thu 9/2, 6:03 PM 


# 


- 


l=_j Sent 




□ 


Sylvain Fambon 


object J 


' Thu 9/2, 6:02 PM 






& Spam 


Empty 


□ 


Yahoo! 


Bienvenue sur Yahoo! / 


Thu 9/2, 5:56 PM 






t Trash 


Empty 






/ 






- 



Explaining what is traffic metadata 

From: Sylvain Fambon <sf ambon@gmail.com> Ad d to Cent. 

To: sylvain.fambon@yahoo.com 

ISS_Network Intelligence for smarter monitoring centers .pptx (1 376KB) 



Net V'.^ wsig rh»e com m o n so uf 
in today's e^ronment. U 

^hetrue picture of dstVupge, purpose and value. !t is critical to identify 
normal behavior and defend against potential cyber attacks provide a 





Sender 

Receiver 



JMlpHttVWfcVdfc: activity prod 



urce of 



.io Attach Large Files 
Automatic Organizer 
(S Calendar 
Edit Photos 
Q Evite 
** Flickr 
& My Drive 



jjata retention to enS^re compl iance and provide audi^^l^nd 
erfor^ ' ' ^ 



Attached document name, type 
file 




List of contacts with name, 
login, email@ 



you on TV. 



Can analyze this 
automatically! 



Metadata 


Value 


Login 


John@vahoo.com 


Password 


Qosmos 


Subject 


Explaining what is 
traffic metadata 


Text 


Networks are the 
common source of 
data - and sometimes 


Sender 


paul@email.com 


Receiver 


iohn@vahoo.com 


Contact list 


Roger, john, louise ... 


Contact 

name 


Roger Smith 


Contact 

address 


Roger.smith@aol.com 




!■ QOSMOS 



Page 1 8 















Network Intelligence Enables Automation of Investigation 
Process 




to Spam 



io Attach Large Files 
^ Automatic Organizer 
[j] Calendar 
3 Edit Photos 
Q Evite 
•• Flickr 
© My Drive 



Explaining what is traffic metadata 

From: Sylvain Fambon <sfambon@gmail.com> A dd to ~ 

To: sylvain.fambon@yahoo.com 
f ISS .Network Intelligence for smarter monitoring centers pptx (1 376KB) 



Networks are mecommon source of data - and sometimes the only source of 
data -in today's eNironment. Direct visibility Into network activity provides 
£ie true picture of daNysage, purpose and value, it is critical to identify 
formal behavior and de^nd against potential cyber attacks, provide a 
meaStof data retention to erSyre compliance and provide audit trails and 
analyz^erformanceto manage^ality of Service, for just a few examples. 



Attached document name, type 
file 



+ E3 TODAY: 9/2 No events. plus sic 



List of contacts with name, 
login, email@ 



Metadata can feed a database with: 

■ Events 

■ Contacts 

■ Text messages 

■ Dates 

■ Any data contained in protocols 

Rich metadata enables automated 
process with 



Metadata 


Value 


Login 


John@vahoo.com 


Password 


Qosmos 


Subject 


Explaining what is 
traffic metadata 


Text 


Networks are the 
common source of 
data -and 
sometimes ... 


Sender 


paul@email.com 


Receiver 


john@yahoo.com 


Contact list 


Roger, john, louise ... 


Contact 

name 


Roger Smith 


Contact 


Roger.smith@aol.co 


adrress 


m 




Data 

processing 

CEP 



■ Complex event processing 

■ Data processing 



■j Track more events with the same 
number of agents 
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Analyze Communication Patterns 



Of Yahoo! Mail (sylvain.fambon) 



"VX-tiOOf. M AIL Hi, Sylvain | © Available ▼ | Sigr^u^ 



T 



I Search Mail.. 



_ Inbox (2) 

%} Drafts 
Sent 



Presence 

H Trash 




▼ Contacts 
60 online 



Folders 



Contact List 



From: Sylvain Fambon <sfambon@gmail.com> Add to i 
To: sylvain.fambon@yahoo.com 
0 ISS_Network Intelligence for smarter monitoring ct 



text 



Applications □ 1 


.io 


Attach Large Files 


H 


Automatic Organizer 


m 


Calendar 


2 


Edit Photos 


O 


Evite 




Flickr 


© 


My Drive 



^ + E3 TODAY: 9/2 No events. Click the plus sign to add a 




Login 
Password 
Email address 
Content 




Login 




Login 




Login 


Password 




Password 




Password 


Email address 




Email address 




Email address 


Content 




Content 




Content 
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Increasing Number of Targets and Communications: 
Use Metadata to Manage the Huge Amounts 



3) Relevant metadata only 
Sender, receiver, date 
Subject, text 



2) Relevant traffic only 

e.g. Webmail 



1 ) Entire traffic of an 
Intercepted IP address 

IPTV 

Webmail 



Limited volume 




■j Metadata feeds database 

■ Easy to index 

■ Easy to search / find 

■ Easy to correlate, analyze 

■j Metadata as an additional 
layer to index 
communication content 

■d Metadata can even replace 
communication content 

B d Major storage savings! 
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Massive volume 
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1 



Major storage savings! 

Read an email from a 

webmail page = 2.27 MB 



CO us.mg3.mail.yahoo.com/dc/launch?.gx=l&.rand=5cnu3r3rnatbmo 



☆ A 



^XHoO! mail Hi, Kara, Hockey ▼ | 9 Available ■w | Sign Out 



Yahoo! | My Yahoo! I ^ Search 



Check Mail | New 


What’s New Inbox 873 emails x | 


Message36: 


Or Search Mail... Go | 


| Delete | Reply - Forward | | Spam | Move ~ 



Magic Farm 

5. Inbox (822) 

Vl Drafts (9) 

^ Sent 

to Spam (1) Empty 

M Trash Empty 

▼ Contacts Add 

1 online 



io Attach Large Files 
H3 Automatic Organizer 
Calendar 
9 Edit Photos 
Q Evite 
•• Flickr 
IS My Drive 



Message36: Metadata enables major storage savings Tue, June is, 2010 4:os:so pm p 

From: "alias, virgule" <qosmos.qosmos@gmail.com> Igii View Contact 
To: ewic.babela@yahoo.fr; kara <kara.hockey@yahoo.com>; kara.the61@yahoo.com; badboy <badboy .yeah@yahoo.com> 

Cc: klown <great.grande@yahoo.com>; qosmos.qosmos@gmail.com; magnifica <super.magnifico@yahoo.com>; 
qulbutoke@gmail .com 

@ 4 Files View Slideshow Download All 

attach3.txt (1KB); attach5.txt (1KB); attach4.txt (1KB); attachl jpg (121KB) 



Qosmos Network Intelligence Technology extracts metadata at all layers, from the network layer 
to the application layer (layer 7), in order to provide a comprehensive understanding of network 
flows at protocol, application and user levels. 



1 Tmarip I ViPW Tmanp I ITnwnlnarl qplprtprl I nnwrJnarl fill 
03 T ODAY: 9/30 No events . Click the plus sign to add an event . 



Ad 



Elements | [m I Resources | Scripts 

I 



^Profiles Storage ^Audits [jj Ci 



Q, Search Resources 



Decouvrez 

le nouveau 
catalogue But, 

516 pages 

d'idees 
pour toute 
la maison. 



Cliquezicife 

ZZI o 



Documents Stylesheets Images Scripts XHR Fonts Other 




62.53KB 125.06KB 187.59KB 250.12KB 312.65KB 375.19KB 437.72KB 500.25KB 562.78KB 625.31 



687.84KB 750.37KB 812.90KB 



Documents Stylesheets Images Scripts XHR 

■ - i i- -i-i i i“i i - - — i - i i.-- i“i i - i i - i — i i“i a -jnun .H .H — 



63.5SKB 



0.97KB 1 .73 MB 



1 13.73KE 






150 ratio! 



Read an email with 

metadata = 15 KB 



Metadata 


Value 


Sender 


john@email.com 


Receiver 


peter@yahoo.com 


Date 


2011/02/09 


Subject 


Metadata enables major 
storage savings 


Message 


Qosmos Network Intelligence 
Technology extracts metadata 
at all layers, from the network 
layer to the application layer 
(layer 7), in order to provide a 
comprehensive understanding 
of network flows at protocol, 
application and user levels. 








Other 


Total 


97 .75 KB 


2.27 MB 
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Benefits 



■j Metadata enables automated investigation 

■ To handle the exploding volume of events to track 

■ Without huge increases in the number of agents 

■j Metadata means more agile investigation 

■ Investigate relationships between targets 

■ Use data/text mining tools based on metadata 

* Storage savings using metadata instead of full packet payloads 



Network Intelligence supports 
the strategic evolution of monitoring centers 
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Thank You! 




QOSMOS 

Your Network is Information 



Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos Sessionizer are trademarks or registered trademarks in France and other countries. 
Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos 2010 
Non contractual information. Products and services and their specifications are subject to change without prior notice 

© Qosmos 2010 




Page 24 



Benefits of embedding Qosmos Network Intelligence 
Technology & DPI 



Challenge 


Benefits of embedding Qosmos 


Huge development effort to 
implement DPI that is 
-Accurate 
-Robust 
-Scalable 


■ Ready to use, easy and fast to integrate 

■ Hundreds of network protocols & 
application variants, and 4500+ 
metadata recognized 

■ Field proven technology up to core 
network speeds (n x 10 Gbps) 



Technology needs to be ■ Continuously updated protocols 

constantly updated ■ SLA on updates when protocols evolve 

■ In-house productivity tools to accelerate 
protocol plugin development 



Don’t worry about new protocols or applications 
Embed DPI and Network Intelligence from Qosmos in your MC solutions 
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Checklist When Choosing a DPI/NI Technology Partner 




Is the company well-established, with a stable customer base and 
investors? 




Is the business model aligned for strategic partnership? 




Is the technology able to handle a large number of protocols, 
applications and metadata? 




Does the decoding engine support for all leading processor 
architectures (Intel, NetLogic, Cavium, Tilera, etc.)? 




Is the company able to provide development assistance and 
worldwide technical support? 
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